DoD 5220.22-M – The Secure Wiping Standard to Get Rid of Data

Written By

Sanjeev Yadav

Updated on

November 5, 2024

What is the DoD 5220.22-M Standard?

DoD 5220.22-M, also known as the National Industrial Security Program Operating Manual or NISPOM, is a media sanitization standard established by the U.S. Department of Defense. It outlines the regulatory measures and normative practices of sanitizing information systems and or the information storage media that is used to store classified information. It recommends overwriting all the addressable memory locations with a character, its complement, then a random character and verifying to clear and sanitize the information on the storage media.

The DoD 5220.22-M Data Wiping Process

The Department of Defense 5220.22-M uses three overwrite passes (0s, 1s, Random) with a 100% verification pass. In 2001, the DoD 5220.22-M ECE method, a 7-pass version of the standard, was published. It runs DoD 5220.22-M twice and an additional pass (DoD 5220.22-M (C) Standard) in between. Nevertheless, the three-pass method is still its standard implementation. The DoD 5220.22-M data wipe method involves the following passes:

Pass 1: Writes a zero and verifies the write.
Pass 2: Write a one and verify the write.
Pass 3: Writes a random character and verifies the write.

There are other iterations of the DoD standard with variations in the use of character, its complement (as in zero and one), and frequencies of verifications. E.g., an altered version of DoD 5220.22-M uses the number 97 instead of a random character for the last pass. Read more to know how to use DoD 5220.22-M Standard for Drive Erasure

US DoD 5220.22-M Clearing and Sanitization Matrix (CSM)

This section presents an outline of the DoD 5220.22-M specified ‘clear ‘and ‘sanitize’ methods for the different types of storage media. You can see the complete grid in the NISPOM Manual.

Storage Media	Clear	Sanitize
Magnetic Tape	Degauss	Degauss or destroy^*
Magnetic Disk	Degauss or overwrite	EAPROM/EEPROM^#
Optical Disk	Overwrite^**	Destroy
DRAM	Overwrite or remove all power	Overwrite, remove all power, or destroy
Overwrite, then full chip erase or destroy	Full chip erase^***	Overwrite or destroy
Flash EPROM	Full chip erase	Overwrite then full chip erase or destroy
Programmable ROM (PROM)	Overwrite	Destroy
Nonvolatile RAM (NOVRAM)	Overwrite or remove all power	Overwrite, remove all power, or destroy

* Destroy – disintegrate, incinerate, pulverize, shred, or melt.

** Overwrite – overwrite all addressable locations with a single character or a single character with complement and random character and verify.

*** Full chip erase as per manufacturer’s datasheets.

# EAPROM – Electronically Alterable PROM; EEPROM – Electronically Erasable PROM

What is the Advantage of The DoD 5220.22-M Algorithm?

The DoD 5220.22-M algorithm has long been recognized as a reliable and secure method for erasing data from traditional hard disk drives. Known for its credibility and widespread use across industries, it remains one of the most frequently searched data-wiping standards due to its established legacy. However, it’s important to note that the DoD 5220.22-M standard does not support modern storage technologies like SSDs, NVMe, or hybrid drives. For these newer devices, standards such as NIST SP 800-88 and IEEE 2883:2022 are now more suitable. Despite this, the DoD 5220.22-M standard still holds value for its efficiency and reliability in specific drives.

The DoD wiping process runs a three-pass overwrite process for comprehensive, efficient wiping as compared to other methods, such as the 35-pass Gutmann standard. Its importance is exemplified if you are trying to erase a large inventory of drives at once. Further, the verification at the final overwriting pass adds assurance to the data erasure process.

How to Perform DoD Wiping?

“DoD wipe” means overwriting all the addressable locations on a hard drive as per the steps specified in the DoD 5220.22-M algorithm. Professional data erasure software – BitRaser Drive Eraser can perform wiping of drives using DoD 5220.22-M standard. The software allows the users to select the specific algorithm to overwrite the hard drive storage locations as per the passes and patterns specified in the DoD 5220.22 algorithm. It generates a tamper-proof certificate and report of erasure, which serves as a documented trail for regulatory compliance.

DoD Wipe – Key Considerations

Here are some essential aspects to know before choosing the DoD 5220.22-M standard as a component of your organization’s media sanitization strategy:

DoD 5220.22 does not address wiping of flash memory-based storage such as solid-state drives (SSDs) and hybrid drives
The NISPOM guideline since 2014 specifies NIST SP 800-88 media sanitization guidelines as the primary guideline for media sanitization.
The Department of Defense no longer references DoD 5220.22 as the method for secure HDD wiping. You can read about the limitations of DoD 5220.22 standard in our blog.
There is no recommended “DoD certificate of destruction”; however, the software used to perform a DoD wipe can generate the certificate of destruction as a proof of audit trail.

Real-World Impact of DoD Wiping: Protecting Data Beyond Compliance

For organizations handling sensitive or regulated information, data disposal isn’t just a routine task—it’s a critical step in protecting both the business and its customers. DoD wiping provides a trusted and verified method for data erasure, meeting one of the most stringent data security standards worldwide. Companies in sectors like healthcare, finance, and government rely on BitRaser’s DoD-compliant wiping solution to ensure that retired or repurposed devices no longer contain recoverable data. This helps mitigate risks, protect brand reputation, and maintain compliance. For instance, Crowe LLP, a renowned public accounting consulting and technology firm, used BitRaser as it wanted to perform data wiping according to DoD standards. Crowe’s Case Study can be referred to for more details.

FAQs

Can data be recovered after a DoD wipe?

No, a DoD wipe is a secure method to erase data and ensure that data cannot be recovered.

What is a DoD wipe?

DoD wipe means overwriting all the addressable locations on a hard drive as per the steps specified in the DoD 5220.22-M algorithm.

How to Perform DoD Wiping?

You can use professional data erasure software like BitRaser Drive Eraser to perform DoD wiping using the DoD 5220.22-M standard on HDDs, SSDs, laptops, PCs, loose drives, servers, etc. You can also use BitRaser Mobile Eraser & Diagnostics to perform DoD wiping on mobile devices.

What is the difference between DoD 3 pass wipe and 7 pass wipe?

DoD 3 pass wipe uses three overwrite passes (0s, 1s, Random) with a 100% verification pass. DoD 7 pass wipe uses a 7-pass version of the standard where it runs DoD 5220.22-M twice and an additional pass (DoD 5220.22-M (C) Standard) in between.

About The Author

Sanjeev Yadav

57 posts

Sanjeev is a passionate writer with an engineering background, strong research skills, and unbridled enthusiasm to learn. With a rich experience of 14+ years across industries, he brings a fresh perspective to writing on technology and compliance. He enjoys watching movies and sitcom’s in his free time.